@Marvin It appears flows are using the github credentials to get the flow and run it but the flow should only use the task execution role. How do I ensure the flow is only using the provided role?

To ensure your flows use only the provided task execution role instead of GitHub credentials, you can follow these steps: 1. Configure Execution and Task Roles: Make sure that your workflow is set up to use the appropriate AWS IAM roles for both execution and task roles. In your

ECSTask

block configuration, include both

executionRoleArn

and

taskRoleArn

. Example: 2. Allocate Roles in Task Definitions: Ensure that the task definitions in your ECS configuration specify the right roles:

python
from prefect_aws.ecs import ECSTask

ecs_task = ECSTask(
    aws_credentials=aws_credentials,
    task_definition_arn="your-task-definition-arn",
    cluster="your-cluster",
    launch_type="FARGATE",  # or other appropriate launch type
    execution_role_arn="arn:aws:iam::your-account-id:role/your-execution-role",
    task_role_arn="arn:aws:iam::your-account-id:role/your-task-role",
    stream_output=True
)

flow.deploy(workers=[ecs_task])

3. Flow Deployment and Role Separation: When deploying your flow, ensure that you separate the roles for execution and task processing, ensuring that you configure Prefect to use the specific IAM roles assigned for the task. For more detailed guidance, check: - Flow Code Deployment - AWS ECS Configuration If you need further examples or run into issues, you might find GitHub Issues #7689 and Examples related to managing ECS tasks relevant. By ensuring correct configuration, you should be able to restrict flow executions to only use the provided role credentials. If you need more help or another example, let me know.